Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Spam

The Spam Problem: Moving Beyond RBLs 508

whirlycott writes "I just published a paper called The Spam Problem: Moving Beyond RBLs on my site. I comprehensively describe RBLs and list eight specific problems with them. I also get into ideas that next generation antispam system creators should read. I hope that this will be useful to anybody who is attending the Spam Conference at MIT on Jan 17th."
This discussion has been archived. No new comments can be posted.

The Spam Problem: Moving Beyond RBLs

Comments Filter:
  • (refering to the intro in the article)
    I mean, you can compare it to having your entire town roped off because one person was a fraud... completely destroying said town, but you still live in it.

    Wasting an entire netblock by blacklisting it is not good....
    • by Anonymous Coward
      How about a pizza company refusing to accept orders from a paticular motel because often noone will admit to ordering there? Stay at a different motel.
      If you are using an ISP that does not enforce acceptable use policies restricting unsolicited email, you are supporting spaming activity.

      In the past, when just systems that were directly associated with spam were blocked, the ISPs would move the spammer to one of the unblocked ips, and move an innocent to the blocked ip. Turns into 'whack-a-mole'.

      With most blocklists, the block starts out small, targeting just the spammer. If the ISP gets rid of the spammer, the block goes away. If the ISP ignores complaints, the block grows.
      • "How about a pizza company refusing to accept orders from a paticular motel because often noone will admit to ordering there? Stay at a different motel."

        Um, exactly how much research are you expecting people to do on motels? Call them up and say "Can I order pizza there?"

        "If you are using an ISP that does not enforce acceptable use policies restricting unsolicited email, you are supporting spaming activity."

        As opposed to what? Exactly how is one supposed to go about finding out about how effective an ISP's attempts to filter spam are? The biggest problem with your argument is that spammers always change how they operate.

        Sorry, but your answers struck me as oversimplified and unhelpful. How that was modded up as 'insightful' I'll never know.

  • by Anonymous Coward on Tuesday December 31, 2002 @08:46AM (#4987607)
    Tell EVERYONE you know never to click on any spam links, or buy spamvertised products. People spam because it WORKS. The only real way to stop it is to STOP BUYING SPAMMED PRODUCTS.

    • Absolutely. Spread the message to new users. The response to spam is very small, on the order of hundredths of a percent. The spammers get negligible responses because of the sheer numbers of recipients. I can't help but think that it's mainly newbies that respond to spam; x amount of unwary sheep getting sheared the first time they see the opportunity to 'Meet lonely married people' or 'add inches to penis/bust/whatever'.
    • by Zeinfeld ( 263942 ) on Tuesday December 31, 2002 @09:21AM (#4987778) Homepage
      Tell EVERYONE you know never to click on any spam links, or buy spamvertised products. People spam because it WORKS. The only real way to stop it is to STOP BUYING SPAMMED PRODUCTS.

      The problem is that you are in a global network. It is like the problem of eating whale meat, you can persuade 99.999% of the world population that eating whale meat is a bad idea but the other 0.0001% that is left can eat the endangered species to extinction within a matter of months.

      It only takes a vanishingly small number of businesses out there to SPAM and you have a massive problem.

      SPAM does not have to even be profitable for people to do it. If I wanted to launder a lot of drug cash I would set up a spam house and bombard people with ads for herbal viagra..

      There was a time not so long ago when the majority of the SPAM being sent out was adverts for spam software. SPAM does not have to work as a marketing method for creeps to get rich charging others to spam. The pitch line they use to haul in suckers is 'it must work or why would people do it', well no, it does not have to get one single end customer for it to work for the spammer.

    • Wrong... (Score:3, Interesting)

      by artemis67 ( 93453 )
      People spam because it's dirt-cheap. If spammers had to pay 10 an email, you'd better believe they'd be a heck of a lot more cautious about who they send to.

      And a "Stop Buying Spam Products" is doomed to fail, anyway, because it's a numbers game. If 1 person out of every 100 people spammed buys something, then it's probably an outrageously successful campaign.

      The fact is, you may be throwing out 50 spam emails a day, but if you see a subject line that speaks to an immediate need, you're probably going to stop, read it, and consider a purchase.
    • I just added 3 inches to a part of my body, refinanced my mortgage for 4%, took care of my baldness, and made thousands thanks to a giving man in Zimbabwe.

      It couldn't have been easier.

    • by Frater 219 ( 1455 ) on Tuesday December 31, 2002 @10:26AM (#4988149) Journal
      People spam because it WORKS. The only real way to stop it is to STOP BUYING SPAMMED PRODUCTS.

      Not exactly. Besides being a theft of end-user and mail-site resources, spamming is also a scam perpetrated upon businesses. If you got spam advertising Joe's Naked Kinky Web Site, that probably isn't because Joe thought up the idea of spamming you all on his own. Most likely, a career spammer (let's call him Alan) convinced Joe that spamming was:

      1. effective,
      2. legal, and
      3. everyone's doing it anyway, so why miss out?
      Joe then paid the career spammer to spam for his naked kinky Web site. Since all three of Alan's claims are false, and he knows it, this means that Alan has defrauded Joe. He exploited the fact that Joe is probably neither an Internet expert nor a lawyer, but he does feel competition from other naked kinky Web sites, to convince him to pay for spamming.

      (Yes, Alan the spammer told the news media that spamming is effective, too ... and they believed him. He was lying there, as well -- but it got him, and spamming, free advertisement in the news!)

      This scam does not rely on spamming actually being effective, so long as vendors still believe it might get them an edge over the competition. Thus, getting people to quit buying spamvertised products cannot (directly) affect it. Only when all vendors on the Internet -- yes, including naked kinky Web sites -- realize that spamming doesn't work, isn't legal, and that they can do just as well without it, will spamming go away.

      • (Yes, Alan the spammer told the news media that spamming is effective, too ... and they believed him. He was lying there, as well -- but it got him, and spamming, free advertisement in the news!)
        Those scumbags often get big, (supposedly) reputable companies: I got spammed by none other than Equifax about a month ago!!!
  • on getting his site /.'d into a little ball of slag?

    Seriously, I'll try and review the paper...

  • Incomplete! (Score:3, Insightful)

    by Murrow ( 144634 ) on Tuesday December 31, 2002 @08:50AM (#4987627)
    You'll notice that he listed and then did not address the "Common Arguments and Justifications" for running and/or using a RBL. Just couldn't come up with a reason why privately owned servers have to accept mail from any particular person or group if they don't want to.
    • I agree with you. Look, all SPAM^h^h^h^h e-mail from Asia may NOT be SPAM, but we need some way to protect our networks from this flood of crap...

      May I be rejecting legitimate e-mail if I block China.com? Absolutely. As a matter of fact I hope I do, I hope I block a whole bunch of them. Further, I'll tell them why.

      "The network you're using sends an unacceptable amount of SPAM, there is a plethora of open relays and nothing is being done about it."

      China.com admins may not give a rat's ass if I bitch and complain. But if their customer base goes ballistic because their service is unusable for this reason, then something may happen. The best solution? No, the best solution is to drag out and kill:

      • Spammers
      • Every idiot who's purchased herbal penis enlargement and HGH
      IMHO
  • Preemptive methods (Score:5, Insightful)

    by LunarOne ( 91127 ) on Tuesday December 31, 2002 @08:51AM (#4987631) Homepage
    Simple, preemptive methods of fighting spam are often the best:


    1. Don't let a spammer verify your email address [thomsonville.com]
    2. Don't post your email address on the internet [thomsonville.com]
    3. Secure your email client [thomsonville.com]
    4. Avoid common email traps [thomsonville.com]
    5. Fight back [thomsonville.com]

    Let me know if these can be improved.

    • So... according to the webpage, the all the 5 tips are summarized as follows:

      Please try the following:

      • Click the Refresh button, or try again later.
      • Open the www.thomsonville.com [thomsonville.com] home page, and then look for links to the information you want.


      Gee... many thanks Slashdot!

    • by DeadSea ( 69598 ) on Tuesday December 31, 2002 @09:02AM (#4987688) Homepage Journal
      You have no control of your email address. I only give my address that I use for personal correspondence to my family and closest friends. My father gave me a DVD rental for my Birthday, and on of my friends invited me to a party and used one of those web sites that do invitations. Between the two leaks, my address is now in the hands of spammers and I am getting 2 to 3 a day at that address. Short of beating my friends and family around the head, I don't think I can stop that sort of thing.

      Not posting your address is important. If you you post your address on the internet, expect more than 10 spam a day. Similarly if you use it to post on usenet, expect more than that. It seems to be hardly sufficient, however.

      I have decided that my only recourse is to change my address every time it starts getting spam. People that email me at an old address get a note saying why the address has been disabled and a url on my website where they can fill out a form to contact me. (btw, if you are interested, you can get the contact form that I use on my website [ostermiller.org], it is designed to thwart spammers, unlike formmail and other cgi to email gateways.)

      • I have several domains, which I host myself. When ever a company asks for my e-mail address, it is always "company"@mydomain, if it is being passed through a 3rd party billing company, it is "billing"-"company"@mydomain.

        This works well, if someone sells my address, I just kill that alias.

        But what happens is some idiot I know in real life will do exactly what you said above. Or just add me to their address book, and get infected with some virus which starts sending stuff out with my address. Or what ever, my address slips out.

        So I go and kick them in the head, tell them how stupid they are.

        I also run SpamAssassin, which does catch a lot of the stuff, so for the most part my inbox is pretty bareable.
      • Between the two leaks [...] I am getting 2 to 3 a day

        I opened a new account at bellsouth.net as a result of installing DSL at home, and was spammed the next day. Because my userid is four characters long, I presume that the spammers were using a permutation technique to develop addresses.

        Sending spam is so cheap, they can afford to send stuff to *all* short email addresses, published or not.

        You can guard against leaks in your best paranoid fashion -- but they'll find you.

        Unfortunately, with so many government entities to deal with we will never have legal protection against spam. The low-lifes will simply move to more agreeable jurisdictions. Any long-term solution to the spam problem is therefore a technical issue. I predict that whitelists will become far more common in the next couple of years.
    • by artemis67 ( 93453 ) on Tuesday December 31, 2002 @09:30AM (#4987820)
      I can't read your links because of a good slashdotting, but from what I see, your arguments are flawed.

      1. Don't let a spammer verify your email address

      This isn't a huge problem for spammers. If they send you an HTML email, then just opening the email (or previewing it in Outlook) can provide the verification that they need.

      Additionally, the extremely low cost of spamming means that bogus addresses are a marginal problem at best. The spammer would rather take a chance that the email account is active and send the spam than not send it.

      2. Don't post your email address on the internet

      I learned this lesson too late. A Google search pulled up a dozen newsgroup messages with my email address in them. Nine were posted by me, and I asked Google to remove them. Unfortunately, 3 are by other people quoting me, and I have no recourse to remove them. Spammers will therefore have permanent access to my main email address.

      Additionally, I have no control over emails that other people send that include my address. I hate "pass along" emails that certain people get and feel the need to send to everyone in their address book, but I can't help that a) my email address is included in a batch of 50 others, and b) it's a very convenient way for spammers to collect verified email addresses.

      3. Secure your email client

      By this I assume you mean using client-level filtering. I do. Alot. I typically get about 60-80 pieces of spam a day, and have set up 30 or so filters. But that only catches about 2/3's.

      Simply put, there is no client-level filtering solution that is going to work 100% of the time.

      4. Avoid common email traps

      I assume here that you mean things like "posting to newsgroups". You can only avoid traps that you already know about, and most people don't know about them.

      Besides, why should we live in fear of the spammers? They are encroaching on our free expression. I certainly think that the structure of email needs to be revisited to put the prohibitions on the spammers, not the recipients.
      • This isn't a huge problem for spammers. If they send you an HTML email, then just opening the email (or previewing it in Outlook) can provide the verification that they need.
        This is precisely why HTML e-mail is ***TRIPLE (secret probation) PLUS BAAAAAD***. Disable that HTML e-mail display bug^h^h^hfeature now!!!!!!
    • You are correct that the methods you list are effective at fighting spam. However, effective does not mean practical.

      For example, how does a site's webmaster (for instance - you [mailto]) seperate legitimate mail from spam. Obviously because it has to be posted on the Internet, it's going to be deluged with spam. Yet it also must be read. So your failsafe rules for eliminating spam fall flat on their face.

      The real solution to spam is upgrading SMTP to require authentication before accepting mail. Booting spammers (and later, enforcing anti-spam legislation) would be a lot easier if mail headers couldn't be forged.
  • RBLs in Spamassassin (Score:3, Interesting)

    by reaper20 ( 23396 ) on Tuesday December 31, 2002 @08:54AM (#4987642) Homepage
    My spamassassin-tagged mail usually scores between 1 and 1.5 ( a 5 is needed for a **SPAM** tag) - which in the grand scheme of things seems to be enough of a weigh for the value of an RBL. Don't absolutely trust it's value, but don't ignore it completely either.

    I don't really see why anyone would use RBLs just by themselves. Personally, I have spamassassin catching the "big spams", you know the ones with webbugs, html-only, forged headers, etc. etc. I occasionally tag those as junk in my Mozilla Mail, while tagging my normal mail as not-junk. The Bayesian filter takes care of the occasionally sneaky spam. Once trained it's an awesome combination.

    • I don't really see why anyone would use RBLs just by themselves.
      That is easy. While spamassasin does the work pretty good - you still have to download the whole crapload. RBL enabled MTAs won't accept any email as soon as a blacklisted IP wants to connect. This saves bandwith, disk space, client side filtering (read: cpu time) and so on.
    • If you're an individual user, a computation-intensive spamassassin approach can do a really good job of blocking most spam and blocking very little non-spam. But if you're an ISP or Mail Service Provider, having a conservative RBL can save you a lot of resources, including bandwidth and computation, by throwing away the high-volume relay-abuse spams with as little work as possible, saving the more complex work for mail that's less likely to be spam. (By conservative, I mean "trying to only block actual relays and other known spammer systems", as opposed to "broad-spectrum insecticides and lists that do collateral damage to pressure ISPs or harass their competition.") That might be a 25-50% reduction in total email that the ISP needs to handle, but from an instantaneous-resources standpoint, it's probably higher than that, because spam tends to come in high-volume blasts, while real email is mostly Poisson arrivals. And if an ISP's failure responses are the "Temporarily inaccessible, try again later" type as opposed to permanent rejections, real email systems are much more likely to try again later than spammers are (though of course open relays may still try again later, because they're just mal-administered, not necessarily broken.)
  • what he missed... (Score:2, Insightful)

    by erc ( 38443 )
    Quite a bit, actually. This reads like a topical treatment by someone who really doesn't know the subject. For example he mentions whitelisting, but in the solutions section, completely ignoring the fact that there are already solutions, both commercial and open source, that use whitelisting, blacklisting, and greylisting. In fact, I wrote one about 6 months ago for a client, and they are quite happy about it, it affords them complete spam protection.
  • Is this "published" just because he put it up on his website and told people about it, or will it actually be published in a journal somewhere?
  • Whiner... (Score:5, Interesting)

    by DaGoodBoy ( 8080 ) on Tuesday December 31, 2002 @08:57AM (#4987657) Homepage
    My company was collateral damage on SPEWS last month and I kicked the *^&^#$* out of our ISP for hosting Global Travel on our netblock. They got booted and we got cleaned off the list. Bada-bing bada boom.

    RBL's are like a fever. They tell you when something it wrong and only a dork blames the fever when the problem is the disease. Get your ISP to whack the spammer or change ISP's.

    http://groups.google.com/groups?threadm=Fc6K9.2625 2%24Db4.726975%40twister.tampabay.rr.com [google.com]

    • Re:Whiner... (Score:5, Insightful)

      by minas-beede ( 561803 ) on Tuesday December 31, 2002 @09:56AM (#4987981)
      In your case it worked out. If you had simply been asked to persuade your ISP to boot the spammer would you have ignored the request? Are you actually so dense that it takes blocking your email to get you to act?

      Note that I'm not trying to claim you are dense or prove it - my point is that you could have been reached in a way that led to the same result but that DID NOT block your valid email. Is there any reason why the brutal method should be the one chosen first? Uh, any good reason - surely there are thugs who enjoy using their power to abuse others.

      Not to mention that there's been more than one case in NANAE where the collateral damage was suffered by someone related to an ISP that had long ago booted the spammer but had not removed all traces. No spam flowed because of the omission, the listing was long after the spammer was removed, no risk to anyone existed. Still, the IP of an innocent party was wrongly listed, wrongly blocked, much time and energy was spent discussing it in NANAE, a person and organization that could perhaps have become spam opponents were given reason to hate the guts of spam fighters. No win of any kind I can see in that.

      And, of course, the brutal blocking actions haven't ended spam, other than the occasional anecdotal victory. I ran an open relay honeypot, I saw how modern bulk spammers operate. The DNSBLs are a weak tool to deal with that. Don't take my word for it: run your own open relay honeypot. You'll quickly learn a lot about how spammers operate. All the while you'll be stopping their spam, too. Open proxy honeypot? Bless you - you'll also do wonders.

      (Any of you sendmail experts able to figure out my pseudonym?)
      • Re:Whiner... (Score:3, Insightful)

        by theLOUDroom ( 556455 )
        In your case it worked out. If you had simply been asked to persuade your ISP to boot the spammer would you have ignored the request? Are you actually so dense that it takes blocking your email to get you to act?

        Dense?
        Why are you even mentioning the word dense?
        He was a friggin customer! His email being blocked was the first indication he had that a spammer was hosted by his isp.
        So what next? He asks his isp to boot the spammer. If they refuse, he doesn't want to have an acount with them anyways, so he'll go somewhere else. Seems fine to me.

        It's hardly "brutal" anyways. The email bounces, it doesn't just disappear and leave him wondering why no one ever replies.

        Finally, if the isp is only partially fixing a spam problem, after booting the spammer, then they're incompetent and you don't want to be working with them anyways. The ip you complain was "wrongly blacklisted" was actually rightly blacklisted. It just wasn't removed from the list, because someone wasn't doing their job.

        If an isp gets a notification that an ip has been added to a blacklist, isn't it obvious that they should contact the maintainer of that blacklist when the problem is fixed? The fault in your example does not lie with the blacklist, but with the isp. If you choose a crappy isp, expect problems.
      • Re:Whiner... (Score:3, Insightful)

        by Erik Fish ( 106896 )

        Not to mention that there's been more than one case in NANAE where the collateral damage was suffered by someone related to an ISP that had long ago booted the spammer but had not removed all traces.

        That's life in the big city. Most of the time this happens when an ISP thinks that it's good enough to just remove the web site but still host DNS or mail for the spammer. This is called "spam support services" and is a no-no. Even on the rare occasion when it's something like IP addresses still showing up as being allocated to the spammer, how is anyone outside the ISP supposed to know that the spammer is no longer a customer? So many ISPs come to NANAE begging to be delisted when they have done literally nothing about their blatant spam problems that why should the one out of ten that is simply incompetent be given special consideration?

        And, of course, the brutal blocking actions haven't ended spam

        Oh somebody call a waaaaam-bulance. Free clue: Nothing will end spam. Even if e-mail becomes metered you will still get spam -- it will just come from the people who send you paper junk mail instead of Alan Ralsky.

    • Re:Whiner... (Score:5, Insightful)

      by melonman ( 608440 ) on Tuesday December 31, 2002 @10:00AM (#4987996) Journal

      RBL's are like a fever. They tell you when something it wrong and only a dork blames the fever when the problem is the disease.

      It's not like any fever I've come across. For the analogy to hold, when I'm ill my entire village would get a fever, and some of the population might die, in the hope that the sound of the ambulances and funerals might alert me to the fact that I have a problem.

      I'm glad you are so happy about having your reputation threatened when you have done nothing wrong. Our business is hosting websites on our own machines in a server park. Server parks are always going to be a good place for spammers to rent cheap machines, and if our clients start getting their mails bounced, they don't write to the server park owners, they cancel their contracts with us. And, no, we can't just take our servers elsewhere at 3 minutes' notice, so the RBL puts zero economic pressure on our server park (which seems to act fairly promptly on abuse compaints anyway).

      RBLs punish the innocent to get at the guilty. This is wrong. The next time my business is hit by SPEWS or any other such system, I'm going to start writing pithy articles for the general press, with the aim of scaring customers away from ISPs that use RBLs, eg "Do you want your ISP to tell you what email you can read?. And I shall certainly take legal advice on whether I can sue companies who bounce my mail with any rejection message containing the word 'spam' for libel or something similar.

      • And I shall certainly take legal advice on whether I can sue companies who bounce my mail with any rejection message containing the word 'spam' for libel or something similar.

        Are you also taking legal advice on whether you can sue the /. posters who post a reply containing the word 'idiot' for libel or something similar?

        • Are you also taking legal advice on whether you can sue the /. posters who post a reply containing the word 'idiot' for libel or something similar?

          No, because none of our customers read /. :-)

      • "And I shall certainly take legal advice on whether I can sue companies who bounce my mail with any rejection message..."

        Ok hotshot, I've just added cyberporte.co.uk to our local RBL list and taken the liberty of posting a link (with a C&C warning) to your post on NANAE. Would you like the address of our attorney now....

        This tactic has been tried several times before. There is no right to deliver (or even connect to) our or anyone else's systems. we can (and will :) reject you with any message, or none at all, at our choosing.

        If you decide to read abit more you'll find that most RBL rejection messages refer to you a page, or site that is usually pretty explict in telling you why your netblock or address range has been rejected.

        oh, and for the record, we make sure our users are aware that we use RBL's. Currently we have (including yours) 549 netblocks listed in our local RBL list, that's not including the 12519 that we have SPEWS blocking at the firewall... I'm not counting the 6 country wide netblocks that are banned.

        The argument "Do you want your ISP to tell you what email you can read?" is sure to carry a hell of a lot of weight with joe internet user who's tired of all the MMF/Porn/Junk spam he's getting these days.

        If there were any decent ways to block spam without resorting to the netblock method, We would gladly use it, but given the past attempts at such methods, I just don't see it happening.
        • Re:Whiner... (Score:5, Insightful)

          by melonman ( 608440 ) on Tuesday December 31, 2002 @11:00AM (#4988401) Journal

          Ok hotshot, I've just added cyberporte.co.uk to our local RBL list and taken the liberty of posting a link (with a C&C warning) to your post on NANAE. Would you like the address of our attorney now....

          This is great, you've just demonstrated that RBLs are not neutral, and are driven more by a desire to punish than to solve the problem. If I ever need to send an email from that domain, I'll use one of our other smtp servers, or that of one of my ISPs, or rent a clean one, or... the problem last time was that I didn't know how ineffective RBLs are. The one thing I'm not going to do is change my server park because someone on the other side of the world is on a quixotic crusade. It's not my battle, and I object to people trying to enlist me.

          Why your netblock or address range has been rejected.

          In our case, it is because one machine in our 16-bit IP range had been used for spam, so SPEWS blocked 65,000 machines, each of which is administered by a different person/company. How does jeopardising the existence of my company, whose smtp server is clean, help to fight against spam? Like I said, we can't just pick up a fairly full server and take it somewhere else, so there is no real economic pressure on the server park.

          Joe Internet user is tired of spam

          See n previous /. discussions about this, but the (statistically) average email address gets about 3 a day. Quite a lot of /.ers say they get very few spams, and many of those who do say that the annoyance value is pretty low. On the other hand, if you are trying to buy a skyscraper (real example) and you can't get emails from the estate agent, who happens to be in a different continent, that is extremely annoying, especially if there is absolutely no reason for blocking that particular server.

          Any decent way to block spam

          Err, if netblock is such a greeeeat system, how come spam is increasing? Am I missing something? If there is a consensus that spam is a major problem, legislate against it. I don't have a problem with that. I do have a problem with what mrneutron calls 'collateral damage', ie people damaging my reputation to get at someone else, especially when the system obviously isn't reducing the amount of spam sent globally.

      • 'SPEWS is bad, so DNSBLs are bad!'

        Wrong. I use DNSBLs to block 10,000+ spams/week aimed at my users. I was using static relay REJECTs via the sendmail access file, but could not keep up with the torrent and increasing user complaints.

        Aside from the obvious potential waste of time and bandwidth those 10,000 spams represent, much of it is obscene and sent by criminals.

        I also track rejected mail and whitelist relays when necessary. This system works very well.

        I chose not to use SPEWS due to collateral damage concerns. It's my call. If you are a postmaster, it's your call as well. One size does not fit all. DNSBLs are an invaluable tool.
      • SPEWS co-opts individual admins (via osirusoft, SpamAssassin, etc.) into a clearly documented process which bears many similarities to economic extortion. SPEWS (with justification) delegates responsibility for economic collateral damage to the indvidual admins whose servers act upon SPEWS RBL publications.

        Some experienced sysadmins do not endorse SPEWS' wholesale blacklisting of entire netblock neighborhoods. Those admins choose not to use SPEWS RBL, but may choose to use RBLs that cause less collateral damage. Some experienced sysadmins use SPEWS RBL because they do endorse SPEWS' clearly documented process which bears many similarities to economic extortion.

        Many inexperienced sysadmins use osirusoft (e.g via SpamAssassin) without knowing the difference between SPEWS and other RBLs aggregated by osirusoft. Without knowing that difference, these inexperienced sysadmins unknowingly endorse SPEWS' clearly documented process which bears many similarities to economic extortion.

        One answer is a SPEWS whitelist + reciprocal blacklisting. Create a whitelist of SPEWS-blacklisted-but-collateral-damage IPs which have *never* been accused by SPEWS (or other RBL) of spamming. When an ISP causes collateral damage by enforcing the SPEWS RBL against a presumed-guilty-but-never-accused IP that exists in the SPEWS whitelist, ask the individual sysadmin to use the SPEWS-collateral-damage whitelist.

        If an individual sysadmin uses the SPEWS RBL but chooses not to use the SPEWS-collateral-damage whitelist, they would be endorsing SPEWS clearly documented process which bears many similarities to economic extortion. Such explicit endorsement will earn such individual sysadmins membership in an IP blacklist of "sysadmins who support SPEWS' clearly documented process which bears many similarities to economic extortion". This blacklist would then be enforced by sysadmins whose IPs are SPEWS-blacklisted-without-spam-accusation .

        This unbundling mechanism provides a technical means for individual sysadmins to endorse SPEWS valuable spam-fighting contributions without endorsing SPEWS' clearly documented process which bears many similarities to economic extortion.

        Long-term, the solution is pseudonymnous, non-profit TLS certificates for SMTP servers [whospams.net] with social (not economic or calendar) seniority (c.f. Apache Incubator). The economic variety exists at bondedsender.org, along with whitelist patches for popular open-source MTAs.

  • by JLyle ( 267134 ) on Tuesday December 31, 2002 @08:57AM (#4987661) Homepage
    I hope that this will be useful to anybody who is attending the Spam Conference at MIT on Jan 17th.

    To ensure that they all get this information in time for the conference, maybe you could just get a list of all the attendees' e-mail addresses and bulk-mail a copy of the paper to them?
  • RBL vs. DNSBL (Score:4, Interesting)

    by Cheeze ( 12756 ) on Tuesday December 31, 2002 @08:58AM (#4987668) Homepage
    Mail nazis are going to start a flame war over the use of RBL. Apparently, RBL is a term only used in conjunction with www.mail-abuse.org's MAPS RBL. The proper term is DNSBL (DNS Black List, or DNS Black-hole List).

    What ever you call it, if you're not running your own internal RBL/DNSBL list, you open yourself to high-capacity spammers that use newly open relays on cable modems, DSL lines, and random dialup accounts. If you run your own DNSBL list, you can easily send back an informative disconnect error message.

    For some reason, Brazil and China are the biggest spammers on the mail servers I run. I blocked a whole /16 and no one noticed.
  • EFF said it better (Score:5, Informative)

    by Lumpish Scholar ( 17107 ) on Tuesday December 31, 2002 @09:00AM (#4987674) Homepage Journal
    whirlycott's article points to the Electronic Freedom Foundation's Public Interest Position on Junk Email [eff.org] (Google cache [216.239.37.100]), which begins:
    Executive Summary: Any measure for stopping spam must ensure that all non-spam messages reach their intended recipients.

    For the past several years, the Electronic Frontier Foundation (EFF) has watched with great interest the debate regarding what to do about unsolicited bulk email from strangers, or spam. We have been asked to lend our support to bills that have been introduced in Congress, and we have been approached in various other ways to help lead the fight against this annoying intrusion into people's email mailboxes.

    While members of the EFF staff and board find this unsolicited email to be as annoying as everyone else, we believe that the two most popular strategies for combatting it so far--legislation and anti-spam blacklists--have failed in their fundamental design. Anti-spam bills have been badly written, are unconstitutionally overbroad, and frequently wander into areas where legislators have no expertise, such as the establishment of Internet standards. And anti-spam blacklists, such as the MAPS RBL (Mail Abuse Prevention System Realtime Blackhole List, the most popular), result in a large number of Internet service providers (ISPs) surreptitiously blocking large amounts of non-spam from innocent people. This is because they block all email from entire IP address blocks--even from entire nations. This is done with no notice to the users, who do not even know that their mail is not being delivered.

    The focus of efforts to stop spam should include protecting end users and should not only consider stopping spammers at all costs. Specifically, any measure for stopping spam must ensure that all non-spam messages reach their intended recipients. Proposed solutions that do not fulfill these minimal goals are themselves a form of Internet abuse and are a direct assault on the health, growth, openness and liberty of the Internet.

    Email is protected speech. There is a fundamental free speech right to be able to send and receive messages, regardless of medium. Unless that right is being abused by a particular individual, that individual must not be restricted. It is unacceptable, then, for anti-spam policies to limit legitimate rights to send or receive email. To the extent that an anti-spam proposal, whether legal or technical, results in such casualties, that proposal is unacceptable.
    • by Zeinfeld ( 263942 ) on Tuesday December 31, 2002 @09:59AM (#4987989) Homepage
      Executive Summary: Any measure for stopping spam must ensure that all non-spam messages reach their intended recipients.

      The problem with the vast majority of psuedo-solutions to spam is that the promoters simply will not listen to any ideas other than the one they first thought of and they simply won't listen to people who point out that blocking good mail is a serious problem.

      The 'cry me a river' response is as idiotic as it is arrogant. SPAM is a problem, failure to deliver email is a bigger problem.

      That does not mean that we don't address the problem of SPAM, it just means that we have to approach the problem from both ends, identifying the good signal as well as eliminating the bad.

      The MIT conference is likely to be a failure because the organizers are only presenting the tried and failed filtering approaches of the past. Those approaches are now well understood, they can mitigate the problem but can never do more than that. Filters suffer from reverse network effects, the more widely used they are the greater the incentive to program arround them.

      Blacklists fail for many reasons, not least complete lack of accountability. As the paper reports the operator of one blacklist that claimed to only list open relays actually listed sites for other reasons. Ultimately a blacklist that does not have some robust accountability structure is simply a vigilante operation. Vigilantes are frequently popular with people who think they are victims of crime regardless of whether they create more problems than they solve.

      The tools we need to start applying are digital signatures and email authentication in combination with whitelists. This follows sound business process, if you want to talk to someone well known their secretary will use a two step process, first ask who you are and check to see if you match the access criteria (e.g. to set up a cold call meeting with a Fortune 100 CEO you had better be a Fortune 500 CEO), then check to see if you really are who you claim to be.

      Authentication and Authorization requires no heuristics and there is no feasible counter-strategy for the spammers.

      I believe that the way to stop spam in the long term is to deploy signed email ubiquitously. Self signed certificates are sufficient for this purpose if we can provide a lightweight authentication via a DNS-linked PKI.

      For example consider the problem of stopping spam to email lists. These are a prime target for spammers as the email server does most of the work. As a result most email lists are now filtered so that only subscribed readers can post. This has in turn been gamed by the spammers who use automated tools to scan the archives of an email list and send emails with forged headers purporting to come from another subscriber. Authentication and authorization prevents this mode of attack.

      The counter-argument to using authentication is that the spammers can get their own credentials. If you spend some time analysing SPAM however you will find out that this is unlikely. Almost every spam has forged or obscured headers. While this does not prove that this is a requirement it is certainly indicative of the fact that the spamers do not want this type of visibility.

      Even if a spammer can get a credential they are most unlikely to get a credential that would match my personal whitelist which would consist of the signing keys of the email lists I subscribe to and the domain names of the member companies of W3C and OASIS.

      • I believe that the way to stop spam in the long term is to deploy signed email ubiquitously. Self signed certificates are sufficient for this purpose if we can provide a lightweight authentication via a DNS-linked PKI.

        SMTP already has a good way of authenticating who you are receiving email from. It is called the IP address of the machine that is contacting you and the IP sequence numbers of the packets that have to travel between you. All you need is a list of the IP addresses of the people who you want to receive email from and a list of ones you don't.

        But, of course, this is what the current blacklists do!

        Any email authentication system is going to run into most, if not all, of the same problems that DNSBLs run into. They are also going to have the problem of trying to get the entire world to change.

        • SMTP already has a good way of authenticating who you are receiving email from. It is called the IP address of the machine that is contacting you and the IP sequence numbers of the packets that have to travel between you. All you need is a list of the IP addresses of the people who you want to receive email from and a list of ones you don't.

          Actually this approach is regularly proposed but actually it is more complex than that. The problem is that there is no single model for using SMTP and SMTP certainly does not provide one.

          In particular a large amount of email is sent from machines that have no connection to the host name the email is purported to be from. Most unix mailers simply send the mail direct.

          Any email authentication system is going to run into most, if not all, of the same problems that DNSBLs run into. They are also going to have the problem of trying to get the entire world to change.

          I have helped do that before, your posting to slashdot is demonstration.

          What is needed is a scheme such that the incentive to opt-in is greater than the cost of opting in for all network sizes. I believe that there are ways of promoting the authentication approach that have this property.

          The problem with network effects is that they cut both ways. Whenever someone talks about viral marketing I short their stock unless they can show that there is a significant benefit to opting in before the network exists. Otherwise your 'network effect' is really a chicken and egg problem.

    • Any measure for stopping spam must ensure that all non-spam messages reach their intended recipients.
      If that were true, ISPs would have absolutely no reason to kick their spammers and the admins of open relays and open proxies would have no reason to secure their systems to abuse.

      In short, nobody would slow down the spammers and our inboxes would be flooded by spam, even if the filters were 99% effective.

      The only way to reduce the amount of spam you receive is by reducing the amount of spam being sent.

      Personally I use the SBL [spamhaus.org] and DSBL [dsbl.org] lists to block mail from known spammers, their supporters and open relays and open proxies.

      Email is protected speech. There is a fundamental free speech right to be able to send and receive messages, regardless of medium.
      Spammers have a right to free speech, but they have no right to free speech on my property. If they want to advertise, let them setup a website I can view when I want to. Free speech is about speech in public areas and is not relevant when it comes to private property. Free speech does not trump private property rights. If you think free speech does apply to private property, send me your address and I'll organise an industrial and hardrock concert in your garden.

      Having said that, I think it would be good if every user could choose for him/herself the filters used on his/her mailbox. If only because the users are likely to choose much more agressive filtering than ISPs could ever setup by default.

  • The section on open relays I find rather odd. An 'open' relay is a relay that accepts mail from anyone to anyone, something which is an extremely bad habit. This guy starts arguing it's necessary to have open relays to deliver mail for some unspecified reason. It's not. You relay mail to legitimate adresses behind your mail relay, and you relay mail from legitimate adresses behind your mail relay and you dont relay to anyone else. Then you dont have an open relay. There is no way there's any technical reason to relay from anyone on the outside to anyone else on the outside, ever.

    Has he completely missed that point?

    Oh, well. If I'm to replace RBL type filtering with another anti-spam mechanism, there's only one I'd consider. That one is going complete pre-mail opt-in, in which case he's far more screwed than he is today. Live with the trouble of RBL's and get your ISP to do the right thing, or get a far, far more draconian solution.
    • The only situation I can think of is one where the SMTP server in place must run an old version of the software for compatibility or licensing reasons. In that case, one could probably still manage access via stateful packet inspection, although the cost outlay there would probably outweigh any savings gained by maintaining an obsolete SMTP server.

      There are surprisingly recent OSes that stil can't limit relaying to specific hosts; it's all (open) or nothing (closed). One example: OpenVMS. Until TCPIP v5.1 last year, it didn't have this capability. Of course, the excellent third-party Multinet has for some time.

      • There are surprisingly recent OSes that stil can't limit relaying to specific hosts; it's all (open) or nothing (closed).

        If an OS is not secure enough to be put on the big, bad, internet, it should be put behind one that is. Obsolete and/or deficient software is a reason for firewalls and proxies, not for being a menace to the network.
    • Re:Open Relays (Score:3, Insightful)

      Has he completely missed that point?

      I'd have to say, yes.

      Personally I use Spamcop's [spamcop.net] RBL and reporting service. I check the held mail page a couple of times a day. I have yet to see a legitimate mail be blocked and it's reduced the number of spams a day I get from hundreds to 2 or 3.

      Maybe some RBLs still work the way the author decribes but from what I'm hearing that's not the way many work now. Now it's more like a reporting user recieves a spam (hopefully very near the start of the spamming run) and reports it. The reporting system works out the most probable source and lists it (due to the fact that spoammers often move within a netblock the netblock rather than the individual IP address has to be blocked for the RBL to be effective), the system also mails the admin address for the appropriate domain (and any listed interested third parties) with the information required to identify the spammer and asks them to deal with them. That IP address is also monitored by the RBL. When the spammer stops sending spam or the administrator informs the RBL operator that they've dealt with the problem the netblock is taken off the RBL.

      If the mail system administrator are on the ball and not asleep at the switch there's no reason why the total time from a netblock being entered into an RBL to being removed need be more than a couple of hours. If they're crap at their job or beligerant then they don't deserve honest customers.

      The complaints made by the author of this paper are very reminisent of some of those I've seen on antispam/pro-RBL mailing lists from spammers who've had their spams stopped by RBLs. Draw your own conclusions, but I'm inclined to go with "If it looks liek a duck, it quacks like a duck nd tastes great with plum sauce...".

      Stephen

  • by JSkills ( 69686 ) <.jskills. .at. .goofball.com.> on Tuesday December 31, 2002 @09:03AM (#4987690) Homepage Journal
    Ok this one's not for everyone. What we did at goofball.com [goofball.com] is to set up a user configurable spam filtering system based on a combination of rules and use of the RBL.

    There is a simple web based front-end that allows users to add and modify rules for accepting or rejecting mail based on a variety of factors - all saved in the datbase. Things like checking the subject, to, from, or the body of an incoming email for the presense (or lack) certain strings is a simple example.

    All of this is done is Perl using Mail::Audit of course. I know there's Spam Assassin, but this was a little more fun (and customizable) for us.

    The final check is the Realtime Blackhole List. When we first implemented this solution, we noticed in the logs that almost everything was on the RBL (even mail from yahoo.com). In fact, our own server was on the RBL. We'd never sent spam before, but I'm sure our relay was open at one time or another.

    Since the system is configured to look for "accept mail" rules first, the solution came down to adding "accept" rules for pretty much everyone we knew, so that mail from known parties would be accepted even if on the RBL.

    So now I get no spam at all - ever. I get very little mail at all in fact. It's really analogous to having an unlisted phone number. It's not the perfect solution by any means, but I'll take it any day over slogging through literally hundreds of spam mails every day ...

  • 1. If SPAM wasn't so bad or annoying, or system resource draining the USE of RBL's would not only decline it would likely stop.

    _NOTE_ IOHE RBL's in on a single mailserver rejected over 70% of all incoming requests. It took more than 90 days before we had our first complaint from using that RBL. Think of all the mail that didn't get delivered and the saved disk space, system resources et al.

    2. Any RBL used is the choice of **insert org here** and not on the people sending mail.

    _NOTE_
    Very often the people charged with running **insert org here**'s mail server have been told "you must reduce the amount of spam I recieve". For many RBL's are an affective way of doing just that.

    3. If the authors point about the legality of relay testing can in fact be upheld in a court, then ALL SPAM is illegal. Since this has not been found to be the case in US courts, then relay testing must be legal. (i.e. 18 USC Sec. 1030 (a) 2 (c))

    4. If the Sherman anti-trust act can be applied here then it would also apply for spammers. SPAM is more in violation of the anti-trust act than RBL lists. (Why? because it prevents the delivery of legitimate e-mail, thus purposely causing delays and interfering with commerce)

    Other solutions mentioned are worth merit, but it should be pointed out that these solutions are most often used and are most effective when used in conjunction with RBLs. A better solution would be to fundamentally change the way e-mail delivery works. DJB (http://cr.yp.to) had an idea some time ago where the cost of e-mail sent is born by the sender, not the reciever. That system may be the best bet. The ability to then block senders becomes a lot easier and your ISP doesn't have to do the very much "heavy lifting". The spammers get to do it. I like that idea better.

    cluge

    • We use SPEWS RBL and it takes out about 40% of the incoming as SPAM on a non-business day (holiday, weekend) and about 20% on a business day. This is on a site that gets a moderate amount of incoming email, about 8-10k messages per day.

      We've had two collateral complaints, one from a vendor and one from a client.

      The vendor I understand; they're a marketing concern and they have been dipping their toes in "direct email marketing" (highbrow spam?), but they do it from their business netblocks.

      The client suprised me; a household name in the home products business -- you'd all recognize their name. But they're one of those "smart" businesses that buys low-budget ISP service, takes whatever 'free' /28 the ISP gives them and NATs everything to that block. Surprise, surprise, Joe Spammer had that /28 (or the /24 that contains it) so they're getting nailed as spammers. What I don't get is why someone wouldn't fix this! Get a different /28, get de-listed from SPEWS, do something.

      But other than those two, I have gotten zero complaints. It's an imperfect tool (I still get a dozen or so per day), but easy to implement and as long as the people making the list are active and flexible, a valuable one.
  • Bollocks! (Score:5, Insightful)

    by odaiwai ( 31983 ) on Tuesday December 31, 2002 @09:08AM (#4987715) Homepage
    Having briefly looked at the paper, it seems like the usual complaining about RBLs as being too broad you see all the time in NANAE (news:news.admin.net-abuse.email).

    Summary: someone tries to send email and finds that they're listed on SPEWS. They complain because "we're not an open relay", without figuring out just why they're on that list. Almost invariably, they're on the list because their ISP persistently ignores spam complaints and prefers spammer money to honest customer money. I think there's been about two or three actual mistakes in the SPEWS listings in the year or so I've been following NANAE. Otherwise, it's all been a legitimate extension of the block because the ISP knowingly ignores complaints and supports spammers.

    Spam is theft. Theft of Bandwidth, theft of service and theft of time. It's that simple. Spammers are thieves. ISPs which support spammers are thieves. Soon, they'll be blocked from the public internet for anti-social behaviour. After all, if your local bargain supermarket ignored the thieves stealing 20% from every transaction you make with them, will you go back?

    Many South American and Asian ISPs are blacklisted because they were quite happy to spam everyone when they could steal bandwidth and service from other ISPs. Now that they're blacklisted, they're whinging and moaning about 'freadom of speach', interference with interstate commerce, and other such bullshit.

    It's about none of these things. Blacklists are about protecting your network from a Denial of Service attack by spammers.

    People who complaing about RBLs (OR DNSBLs, to be more accurate) are missing the point. They should be complaining about spammers who think it's acceptable to steal my bandwidth and your bandwidth to advertise their product..

    dave "the only good spammer is a rotting corpse, dangling from the noose"
  • by sqlrob ( 173498 ) on Tuesday December 31, 2002 @09:09AM (#4987719)
    Operates on a per message basis
    and
    Scalable (resources)

    Aren't mutually exclusive?

  • Clever message on the open relay. How about this one?

    220 mail.XXXXX.com: By connecting to this host
    220 you agree to be open relay tested by
    220 njabl.org. You also agree
    220 to only send traffic that complies with our
    220 AUP and our providers AUP. ESMTP

    Seeing that your server must connect to mine first, I wonder which contract will be upheld in court?

    cluge
    • Neither. A contract requires consideration (something of value exchanged) and the intention to form a contract on both sides. I'm not a lawyer, but both your banners rely on the person connecting actually seeing the banner. The odds are that they won't.
    • Neither one. To form a contract, both parties must realize there is a contract. Since there is no standard, nor any kind of accepted practice, for putting conditions on the acceptable email in the SMTP banner, there is no contract.
      -russ
  • Oh, boo hoo. (Score:2, Interesting)

    by turambar386 ( 254373 )
    Well, I have mod points but I have to reply.

    So, this guy has a problem: his mail server is blacklisted because it is part of the same netblock as a spammer.

    So, rather than switching to a responsible ISP that doesn't allow spammers on its network, he writes a long winded whine about how to solve the "problem" of RBLs (although, mind you, he doesn't give a solution, just what he thinks should be part of the solution).

    What he doesn't seem to understand is that the blacklisting of entire netblocks is only done as a last resort when ISPs refuse to get rid of spammers on their networks. It is a punitive measure to try to force the ISP to act.

    While I applaud this guy for doing his research, I think he is misguided and even narrow minded. If you are part of the 'collateral damage' because your ISP allows spammers on its network, do the right thing and take your business elsewhere.
  • I did not read the article in whole (I am at work right now) but it is a big deception to see that the author, in the section about other anti-spam measure, wrote only a single paragraph on user education. It's a big deception because this is the root of the problem. Sysadmin can fiddle all their time with Spamassassin and Vipul's Razor but as long as some moron will buy pensu enlargement cream from spammer, spam will continue to be profitable.

    The only way to reliably and permanentely stop spam is to to make it unprofitable. Since spamming have near-zero cost, anti-spam measure must attack the revenu stream of spammer. The revenu stream is people buying into spam. Thus having less people buy into spam is the only effective anti-spam prevention measure. All the rest is just Band-Aid in a loosing battle.

    BTW, this is the same thing with tele-marketing, junk fax, etc.
    • by Steve B ( 42864 )
      Since spamming have near-zero cost, anti-spam measure must attack the revenue stream of spammer. The revenue stream is people buying into spam.

      The problem is that the relevant "people" are not necessarily the ones stupid enough to respond to spammed come-ons. Even in the (unattainable) case in which nobody ever responds to spamvertising, spammers will still make money.

      Large-scale spammers don't sell their own crap; they sell the "service" of spamming advertisements for other people's crap. Even if nobody responds to the spam, the spammer still has the money. Eventually, some of the clients get tired of flushing their money down the toilet, but there will always be customers for the spammer's snake-oil pitch.

  • by Lumpish Scholar ( 17107 ) on Tuesday December 31, 2002 @09:27AM (#4987796) Homepage Journal
    (1) You (and I) get too much spam.

    (2) Your e-mail system administrator (and mine) need to keep beefing up the servers because the sheer volume of e-mail is growing so quickly.

    To a first approximations, filters solve (1) but not (2), and black hole lists solve (2).

    whirlycott summarizes the problem with (2) in two words: "collateral damage." How much of the e-mail network do we need to destroy in order to save it?

    We need to move past first approximations. We need systems that work at the server level, but that somehow address the problems of collateral damage and false positives.

    This is only the tip of the iceberg. Any network messaging medium is vulnerable to abuse by spammers. The problem started with Netnews, it continued with e-mail, it's happening now with instant messaging. We need at least high level solution that helps solve the problem regardless of prototcol.

    I wish I had one.
  • by zentec ( 204030 ) <zentec@gmai l . com> on Tuesday December 31, 2002 @09:30AM (#4987819)

    The problem, as I've said here before, is SMTP itself.

    The RFC pretty much states that to be compliant, you have to accept the mail as it is presented. Can't achieve accurate or trusted reverse name lookup information on the sending system? Well, that's tough, take the mail (read this for yourself).

    This problem stems from when systems on the Internet were inherrently trusted. That's not the case any longer, and it's time for a new mail transmission standard.

    For starters, it should allow system administrators the ability to give priority to systems that can present some form of credentials. SSL or keyed encryption, whatever the standard is, it will permit systems to give totally trusted access to systems that meet the specific security and trust guidelines of the receiving system, not the RFC (times have changed, tough).

    Those systems that do not meet minimum trust levels will either have to clean up their act or take the time to contact the remote system to figure out the issue.

    It won't stop spam, but it will go a long way to slowing it down and possibly providing some secure method of mail transport in the process.
  • by neildogg ( 119502 ) on Tuesday December 31, 2002 @09:30AM (#4987822) Homepage
    It's important to realize the point of RBL blocking. It isn't to make end-users happy, it's designed to lower traffic on the mail servers. So a proposed solution needs to be something that the ISP can execute without having to analyze the email. RBLs monitor a single variable, IP, to determine whether it should be accepted or not. If someone could come up with an idea that processed emails based on another single variable, then we'd have ourselves a good spam filter.
  • by fruey ( 563914 ) on Tuesday December 31, 2002 @09:32AM (#4987829) Homepage Journal
    I can whitelist. So I can also DNSBL. My server, my rules.

    One proviso: if anyone complains, I will look at it.

    RFCs require that one accepts mail for postmaster@domain.com and from the empty envelope sender. Since I do this, I believe I am fully RFC compliant.

    So stop whining about DNSBL. The problem is wider than that, and will not be solved by getting rid of DNSBL. The system isn't perfect, but that is not the issue.

  • In Defense of RBLs (Score:5, Interesting)

    by minas-beede ( 561803 ) on Tuesday December 31, 2002 @09:37AM (#4987859)
    I have been a very loud protestor about collateral damage in news.admin.net-abuse.email. I well understand the problem but I think you over-estimate it. SPEWS deliberately lists non-spam-source IPS - that's collateral damage, that's wrong and avoidable. Take that away and the remaining collateral damage is unfortunate but not severe.

    Many have changed how they use RBLs - instead of simply rejecting they send a reply asking for confirmation the sender is a real human. If that confirmation is made the original message is delivered. That seems to be simple, straightforward, and capable of reducing collateral damage to a very low level. It even has intelligence behind it.

    I advocate relay spam honeypots (and open proxy honeypots - move with the times, keep up with the spammers). The white paper doesn't even mention these. The WP has the section asking if open relays are necessary. Well, no, they probably aren't. Is there a point? For how many years has there been an effort to secure open relays? Has it succeeded? The fact is that they are there - asking if they are necessary may inform you but it doens't change the situation in any useful way.

    For all these years the spammers have been given free access to the relay level - there's a self-satisfying division into the secure systems run by the wise and the open relays run by inept administrators. that division allows the operator of a secure system to condemn the operator of an open relay with confidence - he can strut. Yipee. As a spam-fighting tool it's a close to a complete bust. Well, yeah, lots of open relays have been secured. BFD - there's still enough for the spammers, and RFC 2505 said it would be this way. Yo: RTFM (in this case RTFRFC.)

    You want to hurt the spammers? OK, hurt them. It's not like you have to go out of your way - accept and deliver one of their relay tests and the chances are excellent they'll send you spam that you can discard. That's still a secure system, but it has teeth instead of gums.

    There's all these people falling over themselves devising elaborate filters. If you simply open up a relay enough to accept the spam but not deliver it there's no filter needed - a non-mail-server system that receives relay email receives close to pure spam - you will never get a filter as selective as that. Accept and deliver the relay tests and you have screwed the spammer. I won't even enumerate all the ways he is or can be screwed but there's a bunch.

    If 5% of the Windows systems with network connections ran Jackpot then spam would be dealt a mortal blow:

    http://jackpot.uk.net/

    It isn't hard, and it does tremendous good. Check it out.
  • You (ISPs) just need to modify your IP allocation policies such that you put all known spammers in the "ghetto" address range. Said range gets blocked by RBL, none of your more legitamate users notice. The spammers can't complain because they are breaking your AUP (you have a well-defined AUP, don't you?).
  • ... see http://cr.yp.to/im2000.html
  • by ?erosion ( 62476 ) on Tuesday December 31, 2002 @09:46AM (#4987923) Journal
    Isn't this how a blacklist is supposed to work? I thought the idea was precisely to annoy the honest users, such that they complain to the ISP. If the users know that they are blacklisted because of a spammer, they are likely to either leave the ISP or pressure it to turn the spammer off. It's not nice, but the intent is to get results.

  • by theLOUDroom ( 556455 ) on Tuesday December 31, 2002 @09:54AM (#4987972)
    A huge amount of spam is being sent through unsecured relays in Asia and South America. Consequently, an overwhelmingly large percentage of the hosts listed on RBLs are in fact based in these countries (see Wired article: Not All Asian E-Mail Is Spam). This amounts to nothing less than discrimination and isolationism that is being used to slowly cut off countries that have a critical importance in global matters

    Obviously, if a huge amount of spam is coming from a huge amount of servers in a country, a huge amount of servers in that country are going to get blocked.
    How about we drop the sensationalism here?
    It's not some conspiracy to block all mail from Asia.

    Look, maybe some people need to get mail from Asia, but I don't have any reason to. I'm not obligated to let anyone on the internet contact me at will. I can pick and choose who to block/accept at will. If people in don't want their servers to get blocked, maybe they should deal with their spam problem. I don't have time to fix it for them.

    Look at it this way:
    The internet is this huge shared network. It has a finite amount of bandwidth and it works because everyone carries data to its destination.

    The question here should not be if any nodes should ever get blocked. The question should be: How much junk traffic should a single node on the network have to generate before it happens?

    At some point you have to start blocking people. If I start DOSing an email server (almost what spam is), I can expect to have my traffic blocked at some point. Maybe I have to send a million junk messages, maybe a billion, but at some point it's costing too much to carry and process my traffic. Yes, bandwidth costs money. That's just the way a system like the internet has to work. There have to be mechanisms in block to handle the case were a node starts misbehaving. One of those mechanisms has to be dropping traffic from that node.

    Carrying junk traffic costs money. Filtering costs money. At some amount of traffic, the cost becomes too high, and you have to block the traffic. Think of it as a signal to noise ratio. There always needs to be some number, at which you pull the plug, because the data isn't worth dealing with anymore.(And filtering it is too expensive)

    Any time you share something you're going to need the ability to do this. If I start driving in the middle of a two lane highway, I can expectect to get pulled over and have my license revoked (eventually). It should be. I'm messing up things for everone else and the sensible way to fix it is to remove me.
  • Flood them with responses. A volunteer organization which floods them with answers. Not the answers they want, but answers they nevertheless have to take time to deal with. The trick is not to make spam impossible, but to make it unprofitable.

    and a potential solution. Recently, I read an interview with a spammer. She said that she could make a profit with a response rate of .001 percent. That's right, .001 PERCENT. Our anti-spam measures actually help her target the gullible. But what if she had a response rate of 1 percent? She sends out millions of spams per day. Say she got 10,000 replies (or her customers did.) Not buying their dreck, but instead asking for more info or some such. Would they be able to find the legitimate responses in the deluge?
  • --well, wish I knew what I was talking about here, but I'll try anyway, perhaps someone will recognize what I'm trying for. It might even exist for all I know.

    I see spam as being an email protocol problem as much as anything else. Too easy, too easy for bots to get addresses now or guess them. The spammers are like drunk drivers on their 15th DUI, lost their license long ago, but are still on the roads. the deal is, we don't really have any road control, there's no traffic cops (and don't want them thankew). So, we need "new roads" that people can use to send "electronic mail" to each other that ISN'T something in common use yet. It needs to be setup so that only people that are trusted by anyone "you" can use. It's this name@someplace.com. See that @ symbol? How about a replacement, and some sort of new way to start "electronic mail" from scratch and build trusted private networks for correspondence, and something that didn't use that @ symbol?

    Yes I know this is probably naieve, don't know how to describe this better though. Is there such a critter in existence? If I was living in a floodplain, and had to constantly add to the sandbag piles to keep the water out, and it still leaked all the time, well, I'd just move someplace better. I see the email problem now to be just that, never ending war with spam, anti spam, anti anti spam, anti anti anti spam, etc. I'd rather scrap the whole email thing as it stands and start over with something "better", move OUT of the floodplain. So, I'm asking, where's the "high ground" to move to?
  • by bdsesq ( 515351 )
    I am admin/postmaster for a small college. Several months ago a new hack was developed that got through my version of sendmail. This was kind of ok because the spammers didn't know I was vulnerable.

    Along comes one of the RBL's and test my site. So far so good. But instead of sending an email to postmaster@the-blocked-site they post my IP and a sample of how to use my system to forward spam.

    Several days later, on a weekend of course, the spammers started using me. The spammers aren't stupid either. They use the RBL's to find new relays.

    I have fixed the problem. However, one small email notification would have prevented several hundred thousand spams. I wonder how many sites have been used this way?

  • The whole of his argument is "there might be collateral damage". Well duh! Choose an DNSBL (Note: RBL is the name of a specific DNS Blocking List) that has a policy against collateral damage. Some do, some don't. He's complaining that collateral damage hurts innocent parties. Well, he's just done the same thing he's complaining about by damaging the reputation of DNSBL's that don't do collateral damage.
    -russ
  • My ass

    Once your ISP allows people to test then maybe you'll get off the list of IPs that block open relay testing.

    RBL results [osirusoft.com] : 127.0.0.4, Test blockers: Null routed all access

    So, exactly why is you, or your ISP afraid to be tested? Oh I see, your stance may be relay testing may well be illegal. Well tough. If someone turns up at your turn and asks for entry you would ask for identification. Your IPs stance in banning relay check connections is equivilant to not producing identification, but demanding entry anyway.

    Until you can prove that you're not a spammer then don't expect your RBL status to change, and for those people that block on that status, you won't get through.

  • by Skapare ( 16644 ) on Tuesday December 31, 2002 @12:20PM (#4989055) Homepage

    The author of the article is yet another person who misunderstands the problem. The problem is not how to prevent the delivery of spam; that has already been solved. The problem is how to get the ISPs hosting the spammers that continue to eat up our bandwidth to disconnect them from the network. Decent ISPs will just do that upon the discovery they have spammers. And it is acceptable to slap their hand once or even twice, but three spams and you're out. The problem is many ISPs are not decent at all, and will only act upon a financial incentive. Blocking the whole ISP is what is required. DNSBLs such as SPEWS are doing that incrementally with the intent to minimize the number of others affected for long enough to show to the ISP that they had better get rid of the spammers. At this point most ISPs will realize they will lose customers in the future, and will get rid of the spammers. A few will be stubborn, and will eventually have their entire address space listed. Not only do we not want mail from spammers, we don't want mail from anyone who supports spammers. And if you are paying money to an ISP who runs in turn is providing services to a spammer, then you are indirectly supporting spammers through financial benefits, such as the ISP offering the spammers lower rates through economy of scale. And do not forget that if you are doing this, that you and your ISP are benefitting off the costs incurred by others. All this article is, is a reflection of frustration by an individual who just doesn't get it, that he needs to either turn his ISP around to be a decent member of the internet community, or he needs to switch to another ISP. It looks like a lot of work went into it, but the premise being all wrong, the article is worthless and offers no solutions.

  • by Skapare ( 16644 ) on Tuesday December 31, 2002 @04:24PM (#4990619) Homepage

    Here [ipal.org] is my reply to the RBL document. I felt it better to put the reply in proper context, so I made it by red markup on the original. Feel free to make further comments that way yourself, in this Slashdot thread, or in the mailing list the document identifies.

  • by Eristone ( 146133 ) <slashdot@casaichiban.com> on Tuesday December 31, 2002 @04:36PM (#4990680) Homepage
    I've been reading the various comments posted yet haven't seen anything from the POV of a large ISP. So let's see how it might work at some company that's former name has biblical references...

    1) John SneakySpam needs a new ISP because he's been thrown off of {insert other large ISP here}

    2) John contacts Sales and waves a decent sized monthly contract at Mary Salesgal.

    3) Mary finalizes the deal, collects her commission check and then skips off to make her next deal. (No vacation - the market is tight and any income is good income for Mary)

    4) John SneakySpam being a *really* smart guy becomes his own ISP and resells his service to ... Matt SpamSneaky - his cousin/brother. (Yeah, of course they're *closely* related)

    5) Matt SpamSneaky sets up his spam services and starts selling MomPop Inc. that he can reach millions of people for almost no cost.. say $500 per mailing. MomPop Inc. is pleased to spend $500 on advertising that'll reach millions. It's cheaper than the $5000 that the local ChroniTimes would charge for a 2 inch ad on page 39 of the Home/Life section or the $800 that the local "HangMyFlyerOnTheDoorknob" company charges to put out flyers in a neighborhood.

    6) Matt SpamSneaky waits til Friday afternoon - around 6p Pacific Time (after all the folks at the ISP have gone off to drown their sorrows in the chemical libation of their choice) to begin his "directed advertising"

    7) Around 2a Pacific Time on Saturday the postmaster and abuse boxes at directedmail.grp start getting the complaint messages.. but wait.. these mailboxes either don't exist or go straight to the bit bucket.

    8) Around 2:01a Pacific Time on Saturday, the automated programs that watch for Spam start looking up the ip addresses and netblocks and sending complaint messages to abuse and postmaster at "flightfromEgypt.net" about the issue.

    9) Around 2:35a Pacific Time on Saturday, the members of the Abuse department and/or the people who watch Postmaster return from the night of libation/comparison of who's supervisor/director/vp should end up at the bottom of Lake Mead first and before heading to bed log in to review the boxes to see if they should libate more or not.

    10) Around 3:45a Pacific Time on Saturday, the Abuse and/or Postmaster folks finish ranting and screaming about the individual in Sales who just made their living hell more painful... and also explain to the very nice people with the bullet-proof vests and shiny badges that you were just upset about something at work and if the neighbor really didn't like profanity, why did they subscribe to the Spice channel?

    11) Around 4:30a Pacific Time, the Abuse team attempts to contact John SneakySpam's company and/or sysadmin to let them know there's a problem that needs to be addressed. Ah, but their admin doesn't work weekends and you don't have another contact number or it's busy/doesn't answer/goes to voice mail. And you can't pull the plug on their system - that pesky contract they signed that gaurantees uptime and network connectivity and stuff. So you're stuck until Monday. Or Tuesday if it's a long weekend.

    12) First thing next Business Day, you contact John SneakySpam. John says "hey it's one of my downstream customers - let me get ahold of them and tell them to stop." You wave the TOS, AUP and the fact you have a big backyard and a shovel in his face. John waves his contract back in yours. You contact Legal and Legal reviews John's contract and his monthly billing and says give him a warning.

    13) Repeat steps 6-12 at least twice more. 3 strikes rule and all.

    14) Legal now takes over. Jason LegalBeagle contacts John and says we're going to have to term the contract and John says "It was a downstream customer, let me term my contract with him and this won't happen again"

    15) Repeat steps 6-14 at least once more, possibly up to 3 times.

    16) Legal now is ready to toss John et. al. out and deal with the contractual issues this entails. Not to mention John is behind on paying his bills. So out goes John.

    Total Time: Anywhere from 1-4 months

    Meanwhile, to the outside world, it appears that you aren't being "responsive". Just an alternate point of view...

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...